This seems like it requires some sort of UUID guessing, thus I suggest a class D according to the VMT taxonomy ( https://security.openstack.org /vmt-process.html#incident-report-taxonomy ). ** Information type changed from Private Security to Public ** Tags added: security -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1621626 Title: Unauthenticated requests return information Status in OpenStack Identity (keystone): New Status in OpenStack Security Advisory: Incomplete Bug description: I can get information back on an unauthenticated request. $ curl http://192.168.122.126:35357/v3/projects/8d34a533f85b423e8589061cde451edd/users/68ec7d9b6e464649b11d1340d5e05666/roles/ca314e7f7faf4f948bf6e7cf2077806e {"error": {"message": "Could not find role: ca314e7f7faf4f948bf6e7cf2077806e", "code": 404, "title": "Not Found"}} This should have returned 401 Unauthenticated, like this: $ curl http://192.168.122.126:35357/v3/projects {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}} To recreate, just start up devstack on stable/mitaka and do the above request. I tried this on master and it's fixed. Probably by https://review.openstack.org/#/c/339356/ To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1621626/+subscriptions